|
| 1 | +--- |
| 2 | +title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with iSAMS | Microsoft Docs' |
| 3 | +description: Learn how to configure single sign-on between Azure Active Directory and iSAMS. |
| 4 | +services: active-directory |
| 5 | +documentationCenter: na |
| 6 | +author: jeevansd |
| 7 | +manager: mtillman |
| 8 | +ms.reviewer: barbkess |
| 9 | + |
| 10 | +ms.assetid: 01f4ef26-9adb-4a3d-b36c-dce523815afd |
| 11 | +ms.service: active-directory |
| 12 | +ms.subservice: saas-app-tutorial |
| 13 | +ms.workload: identity |
| 14 | +ms.tgt_pltfrm: na |
| 15 | +ms.topic: tutorial |
| 16 | +ms.date: 08/04/2020 |
| 17 | +ms.author: jeedes |
| 18 | + |
| 19 | +ms.collection: M365-identity-device-management |
| 20 | +--- |
| 21 | + |
| 22 | +# Tutorial: Azure Active Directory single sign-on (SSO) integration with iSAMS |
| 23 | + |
| 24 | +In this tutorial, you'll learn how to integrate iSAMS with Azure Active Directory (Azure AD). When you integrate iSAMS with Azure AD, you can: |
| 25 | + |
| 26 | +* Control in Azure AD who has access to iSAMS. |
| 27 | +* Enable your users to be automatically signed-in to iSAMS with their Azure AD accounts. |
| 28 | +* Manage your accounts in one central location - the Azure portal. |
| 29 | + |
| 30 | +To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on). |
| 31 | + |
| 32 | +## Prerequisites |
| 33 | + |
| 34 | +To get started, you need the following items: |
| 35 | + |
| 36 | +* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). |
| 37 | +* iSAMS single sign-on (SSO) enabled subscription. |
| 38 | + |
| 39 | +## Scenario description |
| 40 | + |
| 41 | +In this tutorial, you configure and test Azure AD SSO in a test environment. |
| 42 | + |
| 43 | + |
| 44 | +* iSAMS supports **SP and IDP** initiated SSO |
| 45 | +* Once you configure iSAMS you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app). |
| 46 | + |
| 47 | +## Adding iSAMS from the gallery |
| 48 | + |
| 49 | +To configure the integration of iSAMS into Azure AD, you need to add iSAMS from the gallery to your list of managed SaaS apps. |
| 50 | + |
| 51 | +1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account. |
| 52 | +1. On the left navigation pane, select the **Azure Active Directory** service. |
| 53 | +1. Navigate to **Enterprise Applications** and then select **All Applications**. |
| 54 | +1. To add new application, select **New application**. |
| 55 | +1. In the **Add from the gallery** section, type **iSAMS** in the search box. |
| 56 | +1. Select **iSAMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. |
| 57 | + |
| 58 | + |
| 59 | +## Configure and test Azure AD SSO for iSAMS |
| 60 | + |
| 61 | +Configure and test Azure AD SSO with iSAMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iSAMS. |
| 62 | + |
| 63 | +To configure and test Azure AD SSO with iSAMS, complete the following building blocks: |
| 64 | + |
| 65 | +1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. |
| 66 | + 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. |
| 67 | + 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on. |
| 68 | +1. **[Configure iSAMS SSO](#configure-isams-sso)** - to configure the single sign-on settings on application side. |
| 69 | + 1. **[Create iSAMS test user](#create-isams-test-user)** - to have a counterpart of B.Simon in iSAMS that is linked to the Azure AD representation of user. |
| 70 | +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. |
| 71 | + |
| 72 | +## Configure Azure AD SSO |
| 73 | + |
| 74 | +Follow these steps to enable Azure AD SSO in the Azure portal. |
| 75 | + |
| 76 | +1. In the [Azure portal](https://portal.azure.com/), on the **iSAMS** application integration page, find the **Manage** section and select **single sign-on**. |
| 77 | +1. On the **Select a single sign-on method** page, select **SAML**. |
| 78 | +1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings. |
| 79 | + |
| 80 | +  |
| 81 | + |
| 82 | +1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields: |
| 83 | + |
| 84 | + a. In the **Identifier** text box, type a URL using the following pattern: |
| 85 | + `https://<SUBDOMAIN>.isams.cloud/main/sso/saml2` |
| 86 | + |
| 87 | + b. In the **Reply URL** text box, type a URL using the following pattern: |
| 88 | + `https://<SUBDOMAIN>.isams.cloud/main/sso/saml2/acs` |
| 89 | + |
| 90 | +1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: |
| 91 | + |
| 92 | + In the **Sign-on URL** text box, type a URL using the following pattern: |
| 93 | + `https://<SUBDOMAIN>.isams.cloud/` |
| 94 | + |
| 95 | + > [!NOTE] |
| 96 | + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [iSAMS Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. |
| 97 | + |
| 98 | +1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. |
| 99 | + |
| 100 | +  |
| 101 | + |
| 102 | +### Create an Azure AD test user |
| 103 | + |
| 104 | +In this section, you'll create a test user in the Azure portal called B.Simon. |
| 105 | + |
| 106 | +1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**. |
| 107 | +1. Select **New user** at the top of the screen. |
| 108 | +1. In the **User** properties, follow these steps: |
| 109 | + 1. In the **Name** field, enter `B.Simon`. |
| 110 | + 1. In the **User name ** field, enter the [email protected]. For example, `[email protected]`. |
| 111 | + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. |
| 112 | + 1. Click **Create**. |
| 113 | + |
| 114 | +### Assign the Azure AD test user |
| 115 | + |
| 116 | +In this section, you'll enable B.Simon to use Azure single sign-on by granting access to iSAMS. |
| 117 | + |
| 118 | +1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. |
| 119 | +1. In the applications list, select **iSAMS**. |
| 120 | +1. In the app's overview page, find the **Manage** section and select **Users and groups**. |
| 121 | + |
| 122 | +  |
| 123 | + |
| 124 | +1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. |
| 125 | + |
| 126 | +  |
| 127 | + |
| 128 | +1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. |
| 129 | +1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. |
| 130 | +1. In the **Add Assignment** dialog, click the **Assign** button. |
| 131 | + |
| 132 | +## Configure iSAMS SSO |
| 133 | + |
| 134 | +1. Log in to iSAMS as an Administrator. |
| 135 | + |
| 136 | +1. Navigate to the Control Panel and open the **Authentication** module. |
| 137 | +1. From the right-hand menu, select **Identity Providers** |
| 138 | + |
| 139 | +  |
| 140 | + |
| 141 | +1. Select **Add Provider** |
| 142 | + |
| 143 | +  |
| 144 | + |
| 145 | + |
| 146 | +1. Perform the following steps in the following page: |
| 147 | + |
| 148 | +  |
| 149 | + |
| 150 | + a. In the **Name** textbox, give a valid name like `Saml2 Azure` |
| 151 | + |
| 152 | + b. In the **Sign On URL** textbox, paste the **Login URL** value which you have copied from the Azure portal. |
| 153 | + |
| 154 | + c. In the **Issuer** textbox, paste the **Entity ID** value which you have copied from the Azure portal. |
| 155 | + |
| 156 | + d. Set the **Force Authentication** to **False** from dropdown. |
| 157 | + |
| 158 | + e. Fill the **User Attribute Statement** textbox with a valid username. |
| 159 | + |
| 160 | + f. Open the downloaded **Certificate** from the Azure portal into Notepad and paste the content into the **X509 Fingerprint** textbox. |
| 161 | + |
| 162 | + g. Set the **Disable Audience Restriction** value to **False** from the dropdown. |
| 163 | + |
| 164 | + h. Click on **Save & Close**. |
| 165 | + |
| 166 | +### Create iSAMS test user |
| 167 | + |
| 168 | +1. Log in to iSAMS as an Administrator. |
| 169 | + |
| 170 | +2. Go to the **Control Panel Home** -> **Security & Permissions** -> **User Accounts** -> **User Options & Tasks** -> **Modify User Properties** |
| 171 | + |
| 172 | +  |
| 173 | + |
| 174 | + |
| 175 | +3. In the resulting popup window, select the **Account Details** tab, and change the **Authorization** to that of your newly created Identity Provider. |
| 176 | + |
| 177 | +  |
| 178 | + |
| 179 | +4. Click on **Save & Close**. |
| 180 | + |
| 181 | +## Test SSO |
| 182 | + |
| 183 | +In this section, you test your Azure AD single sign-on configuration using the Access Panel. |
| 184 | + |
| 185 | +When you click the iSAMS tile in the Access Panel, you should be automatically signed in to the iSAMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction). |
| 186 | + |
| 187 | +## Additional resources |
| 188 | + |
| 189 | +- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list) |
| 190 | + |
| 191 | +- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) |
| 192 | + |
| 193 | +- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) |
| 194 | + |
| 195 | +- [Try iSAMS with Azure AD](https://aad.portal.azure.com/) |
| 196 | + |
| 197 | +- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad) |
0 commit comments